|
code
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Return Security Events for Yesterdaysecurity events from the eventlog. It seems to give me around 12 hours worth of events and includes some from todays date? I want yesterdays events all 24 hours worth. It must be something with my dtmStartDate and dtmEndDate, but I can't figure out what Thanks in Advance ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Variables ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Set objShell = CreateObject("WScript.Shell") Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") DateToCheck = Date - 1 dtmEndDate.SetVarDate Date, True dtmStartDate.SetVarDate DateToCheck, True Const wbemFlagReturnImmediately = &h10 Const wbemFlagForwardOnly = &h20 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Main ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' strCompArray = array("MyServer") 'Run Query For Each strComputer In strCompArray WScript.Echo WScript.Echo "==========================================" WScript.Echo "Computer: " & strComputer WScript.Echo "==========================================" On Error Resume Next Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security )}!\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where Logfile='Security' and TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'", "WQL",wbemFlagReturnImmediately Or wbemFlagForwardOnly) For Each objItem In colItems WScript.Echo "Category: " & objItem.Category WScript.Echo "CategoryString: " & objItem.CategoryString WScript.Echo "ComputerName: " & objItem.ComputerName strData = Join(objItem.Data, ",") WScript.Echo "Data: " & strData WScript.Echo "EventCode: " & objItem.EventCode WScript.Echo "EventIdentifier: " & objItem.EventIdentifier WScript.Echo "EventType: " & objItem.EventType strInsertionStrings = Join(objItem.InsertionStrings, ",") WScript.Echo "InsertionStrings: " & strInsertionStrings WScript.Echo "Logfile: " & objItem.Logfile WScript.Echo "Message: " & objItem.Message WScript.Echo "RecordNumber: " & objItem.RecordNumber WScript.Echo "SourceName: " & objItem.SourceName WScript.Echo "TimeGenerated: " & WMIDateStringToDate(objItem.TimeGenerated) WScript.Echo "TimeWritten: " & WMIDateStringToDate(objItem.TimeWritten) WScript.Echo "Type: " & objItem.Type WScript.Echo "User: " & objItem.User WScript.Echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" Next Next wscript.echo "Complete" ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Subs and Functions ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Function WMIDateStringToDate(dtmDate) WScript.Echo dtm: WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _ Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _ & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2)) End Function
Show quote
Hide quote
"Bob Smith" <BobSm***@discussions.microsoft.com> wrote in message (Don't have a compiler/engine to test, but best guess...)news:7A75D618-62A4-421F-9692-3FFA9A26B294@microsoft.com... > Can anyone determain why the following will not give me only yesterdays > security events from the eventlog. It seems to give me around 12 hours worth > of events and includes some from todays date? I want yesterdays events all 24 > hours worth. > > It must be something with my dtmStartDate and dtmEndDate, but I can't figure > out what > > Thanks in Advance > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > ' Variables > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > Set objShell = CreateObject("WScript.Shell") > Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") > Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") > DateToCheck = Date - 1 > dtmEndDate.SetVarDate Date, True > dtmStartDate.SetVarDate DateToCheck, True > > Const wbemFlagReturnImmediately = &h10 > Const wbemFlagForwardOnly = &h20 > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > ' Main > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > > strCompArray = array("MyServer") > > 'Run Query > For Each strComputer In strCompArray > WScript.Echo > WScript.Echo "==========================================" > WScript.Echo "Computer: " & strComputer > WScript.Echo "==========================================" > On Error Resume Next > Set objWMIService = > GetObject("winmgmts:{impersonationLevel=impersonate,(Security )}!\\" & > strComputer & "\root\cimv2") > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent > Where Logfile='Security' and TimeWritten >= '" & dtmStartDate & "' and > TimeWritten < '" & dtmEndDate & "'", "WQL",wbemFlagReturnImmediately Or > wbemFlagForwardOnly) > For Each objItem In colItems > WScript.Echo "Category: " & objItem.Category > WScript.Echo "CategoryString: " & objItem.CategoryString > WScript.Echo "ComputerName: " & objItem.ComputerName > strData = Join(objItem.Data, ",") > WScript.Echo "Data: " & strData > WScript.Echo "EventCode: " & objItem.EventCode > WScript.Echo "EventIdentifier: " & objItem.EventIdentifier > WScript.Echo "EventType: " & objItem.EventType > strInsertionStrings = Join(objItem.InsertionStrings, ",") > WScript.Echo "InsertionStrings: " & strInsertionStrings > WScript.Echo "Logfile: " & objItem.Logfile > WScript.Echo "Message: " & objItem.Message > WScript.Echo "RecordNumber: " & objItem.RecordNumber > WScript.Echo "SourceName: " & objItem.SourceName > WScript.Echo "TimeGenerated: " & > WMIDateStringToDate(objItem.TimeGenerated) > WScript.Echo "TimeWritten: " & > WMIDateStringToDate(objItem.TimeWritten) > WScript.Echo "Type: " & objItem.Type > WScript.Echo "User: " & objItem.User > WScript.Echo > "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" > Next > Next > > wscript.echo "Complete" > > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > ' Subs and Functions > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' > > Function WMIDateStringToDate(dtmDate) > WScript.Echo dtm: > WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _ > Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _ > & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & > Mid(dtmDate,13, 2)) > End Function Dates are really "Date/Time". If you don't provide a Time it defaults to Midnight. Simple comparisons often do not show the results expected. Either add a 'Time' or go back an extra day. -ralph Hi Ralph,
Thanks, you steered me in the right direction. I needed to take away 6 hours from the date. I'm not sure why but it seems that when DATE is used with SetVarDate it makes the time "20050703060000.000000-360". Notice the WMI time 2005070306<--- + 6 hrs. Not sure why it does this. The following lines got me back and working! dtmEndDate.SetVarDate dateadd("h", -6, Date), True dtmStartDate.SetVarDate dateadd("h", -6,DateToCheck), True Bob Smith wrote:
> Hi Ralph, Isn't -6 hrs your locale time-zone offset? AFAIK, the event log records> > Thanks, you steered me in the right direction. I needed to take away > 6 hours from the date. I'm not sure why but it seems that when DATE > is used with SetVarDate it makes the time > "20050703060000.000000-360". Notice the WMI time 2005070306<--- + 6 > hrs. Not sure why it does this. The following lines got me back and > working! > > dtmEndDate.SetVarDate dateadd("h", -6, Date), True > dtmStartDate.SetVarDate dateadd("h", -6,DateToCheck), True time-stamps as GMT. From the source of your posting I can see -0700 as time-zone, which does not quite agree with this hypothesis, but the machine from where the log has been taken might have different setting ... -- PZ Yes I am -700hrs(MST), perhaps dailight savings is changing that
I thought about that, but when I query the events in the Event log all events show a WMI time with -360 (6hours) CMT added to the end. When I convert the date using dtmEndDate.SetVarDate date, True I get 20050705060000.000000-360 returned. I am now using "dtmEndDate.Hours 0" to get 12:00am instead of 6:00am and it seems to work. If I use dtmEndDate.SetVarDate date, False I get 20050705060000.000000+000 but the format in the Eventlog is -360 based on CMT. I still don't quite understand what is going on here Show quoteHide quote "Pásztor, Zoltán" wrote: > Bob Smith wrote: > > Hi Ralph, > > > > Thanks, you steered me in the right direction. I needed to take away > > 6 hours from the date. I'm not sure why but it seems that when DATE > > is used with SetVarDate it makes the time > > "20050703060000.000000-360". Notice the WMI time 2005070306<--- + 6 > > hrs. Not sure why it does this. The following lines got me back and > > working! > > > > dtmEndDate.SetVarDate dateadd("h", -6, Date), True > > dtmStartDate.SetVarDate dateadd("h", -6,DateToCheck), True > > Isn't -6 hrs your locale time-zone offset? AFAIK, the event log records > time-stamps as GMT. > > From the source of your posting I can see -0700 as time-zone, which does > not quite agree with this hypothesis, but the machine from where the log has > been taken might have different setting ... > > -- > PZ > > > 
Other interesting topics
Divide a path into a Drivename, Pathname, and Filename?
Definition of an implementation Resizing form Emergency: Unicode Characters in a Dataset. Time fired event, error out of stack space How 2 get data from a web form DOS box and ALT_ENTER VB Package Deployment Problem How to select ListView Item with right click VB6 mdi app starts behind running application |
|||||||||||||||||||||||
